FBI investigates password-stealing scam

The bureau is looking into an Internet password-stealing scam that may have forwarded stolen online-banking codes to free email accounts run by U.S. companies.

January 2, 20024:43 PM PST

The FBI is looking into an Internet password-stealing scam that may have forwarded stolen online banking codes to free email accounts run by U.S. companies, according to security experts involved in the investigation.

A new variant of the infamous "I Love You" virus struck banks in Europe and the United States yesterday, potentially exposing some online-banking customers' accounts.

For now, the variant, "VBS/LoveLetter.bd," is only a threat to United Bank of Switzerland (UBS) customers, although the virus's existence could result in copycat versions attacking other financial institutions. That could pose a serious threat not only to banks but to consumers as well, according to security experts.

The variant of the I Love You virus, also known as the "Love Letter" or "Love" bug, affects people using Microsoft's Outlook email client. Like the original virus, it sends copies of itself to all of the addressees in a victim's email address book. In addition, the bug downloads a password-stealing program, "hcheck.exe," that lifts USB PIN numbers and sends them to three email addresses: ct102356@excite.com, acch01@netscape.net and deroha@mailcity.com.

National Infrastructure Protection Center (NIPC) spokeswoman Debbie Weirerman confirmed the FBI is investigating where the virus sent the PIN numbers.

Network Associates' Antivirus Emergency Response Team (AVERT) also said it is working with the FBI. Sal Viveros, an AVERT director, said the three email addresses connected with the password threats have been shut down. But he said investigators are still searching for one or more Web servers that may also have been used to receive the stolen passwords.

"We believe the email addresses have been shut down, and we're awaiting to hear word the servers have been shut down," he said.

Network Associates, as well as Symantec and other antivirus-software makers, had rated the virus only a medium threat because it targeted a single financial institution. Network Associates plans to downgrade the threat to low after the FBI shuts down the Web server used in the attack.

The virus appears to have first affected UBS's European operations; Network Associates acknowledged 15 attacks, mostly in Germany. In a release today, the bank said that only "a small proportion of UBS e-banking customers are at risk," and "there are no reports of damage as of yet."

The threat was greatest to customers using UBS's online-banking software. "The virus attempts to steal scratch list numbers from the UBS PIN module," the bank warned in its release. The bank recommended that customers opening the Love variant block their "e-banking authorization immediately by entering an incorrect password three times."

NIPC, which is charged with protecting the security of the nation's computing infrastructure, has been issuing warning updates on the new variant throughout the day. Law-enforcement officials are taking the virus seriously, as it attacks financial institutions and steals passwords.